cPanel® Blog

What goes into protecting your credit card information on the web?

* This post was originally posted on November 28, 2014, and has been updated for accuracy.

Purchases happen with the click of a button, a swipe of a finger, or simply, no human interaction at all. Whether it’s our monthly subscription to Netflix, the plane tickets that just went on flash sale, or the book that we purchased with Prime shipping, our request for immediacy and automation has placed our credit card information all over the web. Though scary in context, the Payment Card Industry Security Standards Council has developed a set of data security standards that merchants storing credit card information on servers need to abide by. Luckily, for hosting providers using cPanel servers, we’ve already loaded you with the equipment to better ensure your information is secure, your customer’s information is protected, and your customer’s customers have secure transactions on the web.

What is PCI Compliance? Established by the major credit card providers, Visa, MasterCard, Discover, and JCB International, the Payment Card Industry Security Standards Council was launched as an independent body in 2006 to focus and advise on the rapidly evolving landscape of the payment transaction process. What resulted was an organic set of criteria, with twelve major tenets, called the Payment Card Industry Data Security Standards (PCI DSS).

Do not use vendor-supplied defaults for system passwords or any other security parameter

Many switches/routers (i.e. wireless)/applications have a default admin account, that uses a default password. Remove them if possible, or at least change the password to something very complex

Protect stored cardholder data

Disable direct root logins. A simple configuration file that is in a publicly accessible directory can still cause issues, even if the permissions on the directory forbid direct access. Storing the data in a database is an added level of security, especially if encrypted and hashed.

Encrypt transmission of cardholder data across open, public networks

Keep the cardholder data being sent across networks to a minimum and encrypt with the highest possible strength

Use and regularly update antivirus software

The antivirus database needs to be up-to-date to ensure any threats created/surfaced after last manual update can be caught.

Develop/Maintain secure systems and applications

Restrict access to cardholder data

Machines holding card info should be available on the private network only and a two-factor authentication or higher security level should be required for access.

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Track/Monitor all access to network resources and cardholder data

Audit access logs frequently.

Regularly test security systems and processes

Maintain a policy that addresses information security

Create a system of internal policies to ensure the proper, regimented handled of secured information.

While cPanel isn’t PCI compliant right out of the box, turning on SSL Cipher along with a few other features, and keeping your software up to date should have you ready to accept and administer transaction on your cPanel server.

JR

Equal parts prose, positivity, and passion, JR Miller is a web writer that likes using words to connect with people, enhance experiences, and solve problems. Approaching copywriting as both an art and a science, he believes that a good impression is one that stays with you after the browser window has closed.